Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spiffe: add support for spiffe bundle format #36190

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

spiffe: add support for spiffe bundle format #36190

wants to merge 10 commits into from
+781 −33

Conversation

briansonnenberg
Copy link
Contributor

@briansonnenberg briansonnenberg commented Sep 18, 2024
edited
Loading

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".

Additional Description:

#35567
trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.

Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD

@repokitteh-read-only RepoKitteh - Read Only
Copy link

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #36190 was opened by briansonnenberg.

see: more, trace.

@briansonnenberg briansonnenberg mentioned this pull request Sep 18, 2024
Closed
@jmarantz
Copy link
Contributor

/wait

wbpcode
wbpcode reviewed Sep 24, 2024
View reviewed changes
Copy link
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. some new comments to the API to start the review. And please address the comment from @markdroth .

@markdroth
Copy link
Contributor

/lgtm api

@kyessenov
Copy link
Contributor

Please merge main.
/wait

@alyssawilk
Copy link
Contributor

/wait on CI

wbpcode
wbpcode reviewed Oct 17, 2024
View reviewed changes
Copy link
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution and patience. And some comments are added.

changelogs/current.yaml Outdated Show resolved Hide resolved
source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc Outdated Show resolved Hide resolved
source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc Outdated Show resolved Hide resolved
source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h Outdated Show resolved Hide resolved
@wbpcode
Copy link
Member

wbpcode commented Oct 17, 2024

Please also check the CI :)

wbpcode
wbpcode reviewed Nov 7, 2024
View reviewed changes
Copy link
Member

@wbpcode wbpcode left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for all your contribution and time for this great work. And only some points need to be addressed:

  1. Code: I think we have refactored the Json related code to make it exception free. I think you may need to update releated code.
  2. CI, CI still not happy.
  3. The unnecessary test data updateding.

source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc Outdated Show resolved Hide resolved
source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h Outdated Show resolved Hide resolved
test/common/tls/test_data/certs.sh Show resolved Hide resolved
@wbpcode
Copy link
Member

wbpcode commented Nov 7, 2024

And I just find another problem, seems the SPIFFE bundle map is still a Draft.

Is this OK to accept this implementation? cc @alyssawilk

@wbpcode
Copy link
Member

wbpcode commented Nov 7, 2024

/wait

@markdroth
Copy link
Contributor

/lgtm api

@repokitteh-read-only repokitteh-read-only bot removed the api label Nov 8, 2024
@wbpcode
Copy link
Member

wbpcode commented Nov 13, 2024

/wait ci

@yanavlasov
Copy link
Contributor

@briansonnenberg please fix DCO and format https://github.com/envoyproxy/envoy/actions/runs/11732634738/job/32685328220#step:13:527 errors

/wait

@RyanTheOptimist
Copy link
Contributor

Looks like CI is failing? https://github.com/envoyproxy/envoy/actions/runs/11979451058/job/33401707343

@RyanTheOptimist
Copy link
Contributor

/wait

@briansonnenberg
CI fix
e126e81 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
Update and add tests for file error handling
9d46c66 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
format
c7d5d18 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
Fix tests and exception handling
cb2c9d5 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
More config exception testing.
ed26529 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
Removed dupe checking because json library auto-removes dupes.
e16fd5d 
Signed-off-by: Brian Sonnenberg <[email protected]>
@briansonnenberg
More config exception tests.
4e24a39 
Signed-off-by: Brian Sonnenberg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markdroth markdroth markdroth left review comments

@wbpcode wbpcode wbpcode left review comments

@tyxia tyxia Awaiting requested review from tyxia tyxia is a code owner

@botengyao botengyao Awaiting requested review from botengyao botengyao is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@wbpcode wbpcode

@markdroth markdroth

Labels
api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@briansonnenberg @jmarantz @markdroth @kyessenov @alyssawilk @wbpcode @yanavlasov @RyanTheOptimist